Wednesday, April 16, 2025
HomeCVE/vulnerabilityIvanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

Ivanti EPM SQL Injection Flaw Let Attackers Execute Remote Code

Published on

SIEM as a Service

Follow Us on Google News

In May 24, 2024, Zero-Day Initiative released a security advisory for Ivanti EPM which was associated with SQL injection Remote code execution vulnerability.

This vulnerability was assigned with CVE-2024-29824 and the severity was given as 9.6 (Critical).

Though ZDI did not mention any additional information regarding this critical vulnerability, they specified a function name that affected Ivanti EPM which was “RecordGoodApp”.

- Advertisement - Google News

However, a proof-of-concept for this vulnerability has been published by Horizon3 researchers.

Technical Analysis – Proof Of Concept

According to the reports shared with Cyber Security News, this RecordGoodApp function existed in the PatchBiz.dll file present in the installation folder.

Free Webinar on API vulnerability scanning for OWASP API Top 10 vulnerabilities -> Book Your Spot.

Further, this DLL was dissected using Jetbrains dotPeek tool for further review. This Patchbiz.dll wa a C# binary.

RecordGoodApp Disassembly (Source: Horizon3)

On investigating the SQL statements in this binary, the first SQL statement was found to be vulnerable to SQL injection as it used string.Format for inserting the value of goodApp.md5 into the SQL query.

Additionally, the RecordGoodApp function was first called from the AppMonitorAction.RecordPatchIssue is present inside an IF ELSE statement.

AppMonitorAction.RecordPatchIssue (Source: Horizon3)

Further, the AppMonitorAction.RecordPatchIssue was called by Patch.UpdateActionHistory which was called from three different locations such as LANDesk.ManagementSuite.PatchBiz, LANDesk.ManagementSuite.WSVulnerabilityCore and StatusEvents.

Patch.UpdateActionHistory Usage (Source: Horizon3)

Among these locations, the StatusEvents.EventHandler.UpdateStatusEvents was the most interesting, as it had annotations with [WebMethod] inside the EventHandler class.

This EventHandler class inherits from the System.Web.Services.WebService declares that it can be used to hit UpdateStatusEvents over HTTP.

Triggering The Exploit

As a means of analysing the location of this EventHandler class, an IIS manager was used which provided the exact location of EventHandler.cs that was located in /WSStatusEvents endpoint. Visiting this endpoint provided a list of sample requests and responses.

IIS Manager WSStatusEvents (Source: Horizon3)

Further analysis revealed that this endpoint was sent with requests, finally showing one particular request that used the xp_cmdshell.

This xp_cmdshell can execute commands on the system, which can now be used to achieve Remote Code Execution on vulnerable Ivanti EPM.

Successfully exploiting using Burp (Source: Horizon3)

Horizon3 has released an exploit code to trigger this vulnerability, which is now available on GitHub.

Users can use the MS SQL logs to examine the usage of xp_cmdshell for any malicious purposes.

It is recommended that Ivanti EPM users upgrade their products to the latest version to prevent threat actors from exploiting this vulnerability.

MS SQL Logs as Indicators of Compromise of using xp_cmdshell (Source: Horizon3)

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Chinese Hackers Unleash New BRICKSTORM Malware to Target Windows and Linux Systems

A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted...

Hacktivist Group Becomes More Sophisticated, Targets Critical Infrastructure to Deploy Ransomware

A recent report by Cyble has shed light on the evolving tactics of hacktivist...

CISA Issues 9 New ICS Advisories Addressing Critical Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released nine new advisories detailing...

10 Best Email Security Solutions in 2025

Email security solutions are critical for protecting organizations from the growing sophistication of cyber...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Chinese Hackers Unleash New BRICKSTORM Malware to Target Windows and Linux Systems

A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted...

Hacktivist Group Becomes More Sophisticated, Targets Critical Infrastructure to Deploy Ransomware

A recent report by Cyble has shed light on the evolving tactics of hacktivist...

CISA Issues 9 New ICS Advisories Addressing Critical Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released nine new advisories detailing...